Login code sample which has been hacked via SQL Injection, although mysql_real_escape_string...

Question

Hi friends,

I use CodeIgniter, and having trouble with hacking :( is it possible to make SQL Injection to the login code below:

    function process_login()
{
    $username = mysql_real_escape_string($this->input->post('username'));    
    $password  = mysql_real_escape_string(MD5($this->input->post('password')));

    //Check user table
    $query = $this->db->getwhere('users', array('username'=>$username, 'password'=>$password));

    if ($query->num_rows() > 0)
    {
        // success login data

Am I using the mysql_real_escape_string wrong? or what?

Appreciate helps!

Answer 1

Have a look at this old SO question.
I would use:

$sql = "SELECT * FROM users WHERE username = '?' AND password= '?'";
$dbResult = $this->db->query($sql, array($this->input->post('username')),array($this->input->post('password')));

Answer 2

No what have posted is not probably not vulnerable to sql injection. Although getwhere() could be doing a stripslashes(), I'm not sure.

Its likely that if there was SQL Injection that it is in another part of your application. The attacker could use this vulnerability to obtain your extremely weak md5() hash, crack it, and then login. Use any member of the sha2 family, sha-256 is a great choice.

If your site has been defaced then I seriously doubt that it is sql injection. Its difficult to automate the exploitation of sql injection to deface websites, but it is possible. I would make sure that all libraries and installed applications are fully updated. Especially if you have a CMS or forum. You could run an OpenVAS scan against your site to see if it finds any old software.

Answer 3

If this is an ongoing hack, then seriously consider putting some logging in place to record the username/password in a file somewhere. If it is an sql injection via this login snippet, then it would show up in this new log file somewhere. And while you're at it, if you can, log the generated SQL query as well.

In any case, remember that mysql_real_escape_string() only covers mysql's metacharacters: single-quote, double-quote, semi-colon, etc... It is still entirely possible to hack the login function via mangling of a boolean parameter. Impossible to say if your "getwhere" function is vulnerable, but consider the case where the submitted password is "xyz OR (1=1)". The generated query might end looking something like

 SELECT id FROM users WHERE users=someusername AND password=xyz OR (1=1);

Perfectly valid query, and has also passed through mysql_real_escape_string intact because it didn't contain any of the critical metacharacters.